OTTAWA — The federal government has reported more data breaches over a recent 10-month period than it reported in the previous 10 years.

Between April 1, 2013 and Jan. 29, 2014 — a period covering 10 months of the fiscal year that ends Monday — federal departments and agencies reported 3,763 breaches of data, which includes, but is not limited to, instances where a taxpayer’s or organization’s information was incorrectly released, lost or compromised.

During the previous 10-year period, the government reported slightly more than 3,000 breaches in total, according to figures recently tabled in Parliament. For that decade, however, data was not provided for several agencies.

Even the 10-month figures are missing details. For instance, the Department of National Defence wouldn’t say how many times classified information has been lost, calling the detail a threat to national security.

The large number of breaches reported during the 10-month period is primarily a result of the Canada Revenue Agency reporting details of data problems for the first time.

The CRA, like several other federal department and agencies, started tracking data breaches as a response to several high-profile cases in which Canadians’ sensitive, personal information was put at risk.

The most recent figures show the CRA accounted for 2,983 — or almost 80 per cent — of breaches during the reporting period. About 120 of those breaches were a result of theft, loss, or information being compromised. Not all were privacy breaches, per se: The government said 95 per cent of those problems were a result of misdirected mail — usually by a taxpayer.

A CRA spokeswoman said that in April 2013 the CRA appointed its first chief privacy officer. The CPO has a “broad mandate for privacy oversight,” including managing internal breaches and ensuring the agency is following new, strict rules to crack down on data breaches.

In the 2013-14 fiscal year, the CRA alerted the privacy commissioner of 32 privacy breaches. Overall, government departments reported 219 breaches to the privacy commissioner, a dramatic jump from previous years and a doubling of the 109 reported in the preceding fiscal year.

“Government departments and agencies appear to be aware of the heightened public concern about breaches,” said Anne-Marie Hayden, a spokeswoman for the privacy commissioner’s office.

“While it’s our view that the federal government generally does a good job of protecting personal information, it is clear that there remains room for improvement.”

The Official Opposition says that improvement should include an overhaul of federal privacy laws, including making it mandatory to report breaches to the privacy commissioner.

“This government is dragging its heels on doing what the privacy commissioner has been seeking, which is compulsory data breach notification,” said NDP national revenue critic Murray Rankin.

“They are being blasé with the privacy of Canadians and this is not trivial information. It is some of the most sensitive information that our government holds about us.”

Given that one-third of breaches this fiscal year were reported to the privacy commissioner’s office, could the office handle the investigative load if the government made it mandatory to report every breach? Hayden couldn’t say.

“The impact on our office of any new breach reporting requirement would depend on a number of things, including what types of breaches had to be reported to us,” she said.

The new figures come after some high-profile cases in which Canadians’ personal information was lost. One of the largest, for instance, occurred when a portable hard drive with social insurance numbers of 583,000 individuals went missing from Employment and Social Development Canada.

jpress@ottawacitizen.com

Twitter.com/jordan_press

psmith@ottawacitizen.com

Twitter.com/P_LSmith

Data breaches by the numbers

Total number of breaches reported for 10 months of 2013-14 fiscal year: 3,763

Total number of people affected by those breaches: 6,318

Number of breaches reported at the Canada Revenue Agency: 2,983

Approximate number of those breaches the CRA said were privacy breaches: 1,372

Number of people affected by six breaches at the National Science and Engineering Research Council: 532

Number of reported breaches at Employment and Social Development Canada: 223

Number of breaches ESDC reported to the privacy commissioner: 0

Number of breaches at NSERC reported to the Office of the Privacy Commissioner: 0

Number of departments that reported all breaches to the privacy commissioner: 8

Number of departments that didn’t report any of their breaches to the privacy commissioner: 10

Number of breaches reported to the privacy commissioner in 2009-10 fiscal year: 10

Number of breaches reported to the privacy commissioner in 2012-13 fiscal year: 109

Number of breaches reported to the privacy commissioner so far in 2013-14 fiscal year: 219

When does the government report a privacy breach to the privacy commissioner?

Not all breaches are reported to the privacy commissioner’s office for review. Treasury Board guidelines lay out three instances when privacy breaches are reported to the watchdog:

– If the breach involves sensitive, personal information such as medical or financial information, or personal identifiers such as a social insurance number;

– If the breach can result in identify theft or some other related fraud;

– If the breach can cause harm or embarrassment that would have a detrimental effect on someone’s career, reputation, financial position, safety, health or well-being.